When an organization outsources its operations, or avails of external services, it exposes itself to a range of supply chain related risks, including legal liabilities, quality failures, security breaches, corruption risks, and financial risks, plus additional brand and reputation risks. To keep these risks in check, various regulations like the FCPA, UK Bribery Act, UK Modern Slavery Act, and HIPAA1, as well as regulators like the EPA, FDA, OCC, FCA, and CFPB2 require that organizations have well-defined supplier management programs.
The scope and complexity of these programs continue to increase as the supply chain grows. Today’s suppliers include not only those firms that provide raw materials and components, but also those that deliver essential services like distribution logistics, quality auditing, and customer support. Each of these suppliers, in turn, comes with its own web of sub-suppliers and contractors that need to be monitored. A single disruption or unmitigated risk anywhere along this vast network can snowball into a larger issue, impacting bottom-line profits and brand value.
To prevent these issues, organizations need comprehensive and real-time insights on their supply chain. They need to be able to assess and track supplier risks, compliance, performance, and other key metrics in a streamlined and efficient manner. Doing so, as part of a broader supplier management program, is critical in maximizing the value of supplier relationships, while also building trust with stakeholders and customers.Download Solution Brief
Metricstream Supplier Risk and Performance Management Solution
The MetricStream Supplier Risk and Performance Management Solution enables organizations to effectively manage, monitor, and track multiple stages of their supplier relationships. The solution extends across the global supplier network, aggregating and mapping supplier and sub-supplier data in a common system for comprehensive transparency. It also facilitates thorough assessments and audits of both current and potential suppliers, thus maintaining a reliable pool of suppliers for each category of product or service. Through powerful reports and dashboards, organizations gain quick and comprehensive insights on their supply chain which can then be transformed into actionable business intelligence to support decision-making.
FCPA - Foreign Corrupt Practices Act; HIPAA - Health Insurance Portability and Accountability Act
FDA - Food and Drug Administration; OCC - Office of the Comptroller of the Currency; FCA - Financial Conduct Authority; CFPB - Consumer Financial Protection Bureau
Source: Customer responses and GRC Journey Business Value Calculator
80%Reduction in supplier onboarding time
50%Reduction in the time and costs required to complete supplier assessments, and to identify risk3
Enhanced awareness of supplier risks by validating supplier information with leading industry content providers
Improved supplier consolidation and rationalization, as well as visibility into the businesses, spend, assets, and risk exposure associated with each supplier
Higher confidence in sourcing and negotiation decisions with the help of historical data on supplier performance
Stronger business resilience through streamlined supplier risk assessments aligned with business continuity management
Consolidate and rationalize supplier information, including goods or services provided, contact information, contracts, associated business units, certifications, spend, country, performance scores, and risk or compliance issues. Enable all stakeholders associated with the supplier management process to view accurate and up-to-date supplier information, thereby strengthening the quality of their decisions.
Through the solution’s intuitive supplier profile page, view and manage supplier information effectively. Also, trigger actions such as supplier assessments, issue investigation, supplier termination, subscriptions to alerts, due diligence, and profile updates. Activate a self-service page for authorized suppliers to manage their profiles, upload documentation, and respond to assessments, issues, and action plans.
Onboarding Due Diligence
Effectively manage supplier screening and onboarding, as well as new engagements with existing suppliers. Enable informed supplier selections by checking that all regulations and requirements are met. Follow a structured process to qualify, segment, and rank suppliers based on multiple attributes, including country, annual spend, product or service category, criticality, and revenue.
Trigger appropriate risk and compliance assessments or audits based on a set of rules. Automate supplier risk scoring for further categorization. Screen and validate supplier information with the help of alerts from reliable internal or external sources. Define the frequency of ongoing monitoring activities based on supplier categories.
Validate information on suppliers, and gain insights into their risk, compliance, and performance status with the help of feeds from industry content providers. Source data on politically exposed persons (PEPs), sanction lists, special interest persons (SIPs), state owned enterprises, adverse media listings, financial status, credit rating, regulatory compliance, cybersecurity risks, and sustainability ratings. Subscribe to supplier related alerts based on the risk rating or criticality of each supplier. Review the alerts, and risk rate suppliers accordingly. Perform risk assessments, and log issues for remediation.
Identify the level of risk associated with each supplier and their product or service. Enable risk assessments based on various risk types (e.g. reputation risk, financial risk, strategic risk, bribery/ corruption risk, legal risk, IT risk, sustainability risk, business continuity risk, and information security risk). Leverage built-in risk assessment templates, and modify them to suit business needs. Prioritize periodic risk assessment activities based on supplier criticality, rating, tier, and date last assessed.
Enable suppliers to access and respond to their assessments through a self-service page. Based on the responses, automate the calculation of risk scores, and arrive at the overall supplier risk posture.
Identify, measure, and monitor the compliance status of suppliers in a systematic manner. Create and conduct compliance assessments and surveys based on internal policies, as well as local, regional, and international laws.
Assess supplier compliance with ABAC mandates, FCPA, PCI-DSS, HIPAA, the HITECH Act, codes of conduct, information security, social accountability, anti-slavery, and other compliance requirements. Collect certifications and attestations in line with regulatory requirements. Key Compliance Requirements
Anti-Bribery and Anti-Corruption - FCPA, UK Bribery Act: Leverage built-in anti-bribery and anti-corruption assessment templates to evaluate suppliers. Conduct further validation and screening with the help of content from external sources such as Dow Jones.
Information Security - PCI-DSS, HIPAA, HITECH Act, GLBA: Conduct a preliminary evaluation of supplier information security capabilities. Enable deep-dive assessments by leveraging the Shared Assessments Standardized Information Gathering (SIG) questionnaires A-Z. Collect and store attestations and certifications from suppliers indicating compliance with data security and privacy laws and standards.
Social Compliance - UK Modern Slavery Act: Streamline assessments and audits to determine if suppliers are practicing slave labor.
Environment, Health, and Safety – EPA Mandates, ISO 14001, OHSAS: Assess the environmental sustainability, health, and safety practices of suppliers. Capture and store supplier certifications. Validate information by sourcing sustainability ratings from leading content providers.
Identify key suppliers for auditing based on their risk scores, screening results, and other important parameters such as the criticality of the supplier, product or service provided, and country. Enable various types of supplier audits, including compliance audits, quality audits, safety audits, IT audits, environmental audits, social responsibility audits, and sustainability audits. Conduct onsite audits or detailed online audit assessments.
Accelerate audit processes, ranging from information gathering, to audit planning and scheduling, field work, reporting, and issue remediation. Design or modify checklists to evaluate suppliers based on multiple parameters.
Define supplier performance metrics based on contracts and policies. Assess and track each supplier's key performance indicator (KPI) scores (e.g. cost, delivery, service, quality).
Incorporate supplier performance and risk data from various systems, departments, content providers, and processes like audits, assessments, and inspections. Strengthen business decisions by leveraging supplier scorecards, and comparing scores based on the product or service type offered.
Benchmark how suppliers improve over time, view trends, and identify preferred suppliers. Enable suppliers to monitor their own status and performance through specific reports and dashboards.
Business Continuity Management
Enable an effective business continuity management program in compliance with industry standards. Capture and track supplier business continuity plans and response to emergencies and critical events.
If an incident occurs or if a risk threshold is breached, trigger automated alerts and notifications to relevant stakeholders, including affected customers, business units, and divisions. Leverage advanced capabilities such as emergency mass notification systems (EMNS) and mobile alerts to rapidly communicate and implement business continuity plans, thereby enhancing crisis response and recovery.
Capture supplier issues and conduct investigations to determine the root cause. Manage interim containment action items, as well as long-term corrective and preventive actions. Verify the effectiveness of the remediation to ensure that the problem is resolved effectively. Enable a structured process to terminate and off-board specific suppliers in the event of contract breaches or expiration, dissatisfaction, and incidents of non-compliance.